I have just released a new script in my GitHub repository that will report on the local device Attack Surface Reduction settings (ASR) as shown above. You’ll find it here:
https://github.com/directorcia/Office365/blob/master/win10-asr-get.ps1
There no pre-requisites. Just run it on your Windows 10 devices to report.
If you are looking to change the ASR settings for your environment, I suggest you have a read of my previous article:
Attack surface reduction for Windows 10
I’d strongly encourage you to enable ASR across your Windows 10 fleet to reduce risks of attack.
CIAOPS 
This is great. I was testing 2 policies and had my main policy with all the rules enabled as i wanted and then a second policy that just had vulnerable signed drivers rule in Audit mode. However with this script i discovered that by creating a new rule it had disabled all the rules in the main policy…. it seems that having 2 policies don’t sit well together.
LikeLike
Thank you! Do you know of a way to pull the path exclusions?
LikeLike
https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2022-ps
[-ExclusionPath ]
LikeLike
Would you or anyone know why the Block persistence through WMI event subscription is only applying to the system account? It is pushed via intune to a devices group. Thank You
LikeLike
Typically because the policy is applied to a device not a user in Intune as you have done. If it is applied to a device it is therefore in place for all users of that device.
LikeLike
Thanks, its just weird…Intune shows it deployed yet Security console shows it not deployed since it still appears as a vulnerability on the devices it says it’s installed on
LikeLike
Intune is weird and inconsistent in my experience. I check the endpoint ton ensure as Intune doesn’t always report correctly I’ve found
LikeLike